Release notes
This topic lists both latest features now available in CloudFlow and important documentation updates.
Note: In our technical documentation, we use the term "Azure Firewall" to refer to Azure Firewall (Policy-based) devices, distinguishing it from Azure Firewall (Classic).
April 2024 Update
Rebranding Update: CloudFlow Becomes AlgoSec Cloud
We're excited to share that CloudFlow is getting a new name – AlgoSec Cloud! This name change reflects our evolving brand identity, and is already aligned in our latest marketing initiatives. We'll be rolling out the new branding in our software over the next few months. During the transition period, our technical documentation will continue to refer to the platform as CloudFlow.
Azure Firewall | Network Zone Definitions
Now you can define network zones Internal, DMZ and External in the customized risk profile excel, improving risk assessments and risk accuracy. See Network Zone Definitions: Enhanced Risk Accuracy. (Released 11-April-2024)
Manage notifications about risk & policy changes and ASMS connectivity on the new Notifications page. You can set notifications to be sent via email and Microsoft Teams to selected users ensuring they receive only the notifications that are most relevant to them. For more details, see Configure CloudFlow Notifications. (Released 10-April-2024)
Now you can customize a risk report by selecting specific risks to include, focusing only on the areas that matter most to you. We've also provided the option in the report to only show the number of affected assets without listing them all by name. For more details, see Risks Report. (Released 4-April-2024)
March 2024 Update
-
New CloudFlow deployment location for Middle East (ME) region
-
See the date/time when data collection of onboarded accounts last completed successfully
For each risk, CloudFlow now displays a detection date so you can quickly understand what risks were recently added to your environment and take immediate actions to fix them. (Released 26-March-2024)
-
The new Detected on column shows the date CloudFlow first detected a risk trigger for a rule. For more details, see Risk triggers.
-
Filter risks by their detection date using the Detection date filter. Select a predefined or custom date range. For more details, see Search and filter risks.
New CloudFlow deployment location for Middle East (ME) region
We're excited to announce the addition of a new CloudFlow deployment location for our valued users in the Middle East region. CloudFlow is now hosted on the following AWS availability zones:
-
ME: me-south-1 (Bahrain )
-
US: us-east-1 (N. Virginia)
-
EMEA: eu-central-1 (Frankfurt)
-
ANZ : ap-southeast-2 (Sydney).
See Logging in and out. (Released 19-March-2024)
See when accounts were onboarded to CloudFlow
On the Onboarding page, you can now see the date when each account was successfully onboarded to CloudFlow. (Accounts onboarded before this feature was introduced will show N/A.) For more details about the new Onboarding Date column, see Onboarding Management. (Released 12-March-2024)
See the date/time when data collection of onboarded accounts last completed successfully
CloudFlow now makes it easy to see when the last successful data collection occurred. The column "Last Successful Update" on the Onboarding page shows the most recent date and time that data, necessary for calculating risks and other important information about your onboarded resources, was gathered. If an error occurred during the update process appears in the Status column. Hover over the status error icon to see details about the error as well as the last update attempt. For more details, see Onboarding Management. (Released 12-March-2024)
Filter risks according to virtual networks on the risk page
Now you can see which risks are associated with specified virtual networks. See Risk filters. (Released 12-March-2024)
February 2024 Update
Azure Firewall support for Last Used rule information and unused rules
CloudFlow now supports Azure Firewall log data to track the last usage of firewall rules, allowing users to identify unused rules and generate reports on them. For details, see Filter displayed policy sets, Export risk trigger details, and Enable Azure flow logs. (Released 12-March-2024)
January 2024 Update
Risks severity filter for Azure Firewall
We've added the Risks severity filter for Azure Firewall. This filter allows the display of only those policies in the list that contain rules with the selected severity level. See Manage network policy sets. (Released 29-January-2024)
Onboard Google Cloud resources from multiple organizations.
You can now onboard resources to CloudFlow from multiple organizations in Google Cloud. To ensure a smooth onboarding process, make sure that project IDs should be unique across different organizations. For more details, see Google Cloud project management. (Released 29-January-2024)
New onboarding methods for Google Cloud, Azure and AWS
Four methods for onboarding Google Cloud and Azure resources are now available in the onboarding wizard. You can choose from With Script, No Script (ideal for environments that do not support scripts), API, or Terraform methods, via a drop-down menu. For AWS, there are now three available methods to choose from: With Script, API, or Terraform. For more details, see:
-
For Google Cloud: Google Cloud project management
-
For Azure: Azure subscription management
-
For AWS: AWS account management
(Released 29-January-2024)
Improved dashboard to explore and identify Account and Virtual Network issues
The dashboard on the Accounts Summary tab now offers expanded functionality. When you select an account in the Account Summary tab, you can see all the virtual networks in the account and pinpoint the virtual networks that are at the root cause of network issues. You can also drill down into the virtual networks to explore further and gain a deeper understanding .
In the Account Summary page, we added two additional columns: Security policies and Cloud firewalls. These columns allow you to gauge the total number of security policies in each account. In addition, for Azure subscriptions you can review the number of Azure firewalls under each.
We also added summary pages for each virtual network.
For more details, see Review account status. (Released 17-January-2024)
December 2023 Update
Risk trigger indicators for individual Azure Firewall policies
CloudFlow now delivers enhanced insights regarding the number of risk triggers detected in Azure Firewall policies. Besides showing the risk trigger totals for each policy, you can now see the breakdown of these numbers at the rule collection group and individual rule levels. Clicking on any of these indicators opens a popup with detailed information on the risk triggers. For more information, see Manage network policy sets. (Released 26-December-2023)
You can now easily access your Account ID directly fromCloudFlow. This is ideal if you're managing multiple accounts. It also simplifies the process of referencing an Account ID for support queries. To view and copy your account ID, just click on your username located at the top right corner of the screen to open the drop down. See Welcome to AlgoSec CloudFlow. (Released 26-December-2023)
Export Azure Firewall Risk Report to PDF
Now you can export risk reports for Azure Firewalls in PDF format. The report contains detailed information about risks and risk triggers found on Azure Firewall devices based on the filters selected by the user requesting the report. See Risks Report. (Released 14-December-2023)
November 2023 Update
Onboarding Azure resources without scripts
We've updated the onboarding wizard to include an option to onboard Azure subscriptions, management groups, and tenant root groups without using scripts. This is useful if your environment does not support scripts. For more details, see Azure subscription management. (Released 28-November-2023)
You can now see the status of your onboarded virtual machines and instances. Located in the Assets tab of the Overview page, the new Status column indicates whether or not the VM operating system and applications are running. See Review account status. (Released 14-November-2023)
New columns on the Changes page: Account Name and Virtual Network
The Changes page now has two new columns, providing additional information for Azure and AWS about the changed security groups:
-
Account Name: The name of the subscription / account
-
VNet / VPC: The virtual network where the change was detected
For more information, see Changed Security Groups list. (Released 2-November-2023)
To streamline yourCloudFlow experience, we've removed the Home page. (Released 2-November-2023)
October 2023 Update
Export an Unused Rules Report to a CSV file
Now you can export an Unused Rules Report based on selected entities in the tree and filters (Vendor, Account, VNet/VPC, etc.), making it easy to share. See Export Unused Rules Report to a CSV file. (Released 11-October-2023)
September 2023 Update
Get information to build your own account summary dashboard
CloudFlow's new Get Account Summary Information API provides you with the data you need to build your own account summary dashboards, including information about risks and their severity, unused rules, risky assets, risks security rating, and trend. See Get account summary information API. (Released 27-September-2023)
August 2023 Update
Google Cloud Project auto onboarding
With the new Google Cloud Project auto onboarding process, CloudFlow continually syncs with your Google Cloud Projects. Any subsequent changes such as adding or removing projects are automatically reflected in CloudFlow. See Onboard Google Cloud resources using your preferred method. (Released 22-August-2023)
July 2023 Update
Accounts | New security rating and trend indicators
The Account Summary now includes a security rating, which shows the network security compliance level of the account. The trend indicator shows any changes in the security rating over time. See Review account status. (Released 31-July-2023)
On the Network Policy page, now you can click the risk severity level indicators on policies to get a detailed list of all the risk triggers associated with the policy. See View risks details at the policy level. (Released 31-July-2023)
The new User Activity tab provides administrators with a convenient way to check users' adherence to established protocols and assists in the prevention and detection of fraudulent activities. Review key information such as who initiated an activity and when. For more details, see Track User Activities (Released 19-July-2023)
View Google Cloud Project unused rules
Now on the Overview page, for each project you can see the number of Google Cloud Project rules not being used. This information can assist in cleaning the policies and reducing the attack surface. Click on the number to open the Network Policies page and get the unused rules report. See Review account status. (Released 4-July-2023)
June 2023 Update
Identify public-facing assets with risks
We've made it easier for you to spot potential issues with your assets. On the Account Summary tab, you'll now see the Risky Assets column which shows you how many of your assets with public IPs have critical or high risks. It's a quick way to identify what risks you should handle first. For more details, see The Account Summary tab. (Released 20-June-2023)
See the number of risk triggers per asset
Now on the Overview page's Assets tab, you can see the number of risk triggers associated with each asset. This allows you to quickly understand each asset's risk exposure and then take corrective steps. For more details, see The Assets tab. (Released 14-June-2023)
Affected Assets for Inherited Policies
CloudFlow now displays affected assets for detected risks on all rules, including inherited rules. See View rule risks & affected assets. (Released 5-June-2023)
With the new Azure onboarding process, CloudFlow continually syncs with your Azure subscriptions. Any subsequent changes such as adding or removing subscriptions are automatically reflected in CloudFlow. See Onboard Azure resources using your preferred method:. (Released 5-June-2023)
CloudFlow now provides admins with a detailed explanation of account data collection failure. To learn more, see Access the ONBOARDING MANAGEMENT page. (Released 5-June-2023)
May 2023 Update
Azure Firewall risk information
Now on the CloudFlow Risks page, you can view Azure Firewall (Managed with Policies) risk information and see recommended remediation. For more info see Work with risks. (Released 23-May-2023)
The Assets tab has a new column, Address, which displays the public and private IP address of the asset. For more info, see The Assets tab. (Released 11-May-2023)
April 2023 Update
Google Cloud Project Policy Cleanup
CloudFlow now tracks rule usage for onboarded Google Cloud Project so you can indentify unused rules for both inherited rules and firewall policy rules. For more info, see Clean up policies. (Released 10-April-2023)
Important: Existing customers will need to add the permission Google Cloud project management in Google Cloud Project.
March 2023 Update
-
Account Summary tab: Get a comprehensive view of your accounts
-
See all rules protecting the Google Cloud Project VPC in one place
Manage risk profiles in CloudFlow
In the new Risk Profile page, you can manage which risk profile CloudFlow uses to calculate risks to your onboarded accounts and assets. For more details, see Manage CloudFlow risk profiles. (Released 22-March-2023)
Account Summary tab: Get a comprehensive view of your accounts
The renamed Overview page (previously known as Inventory) gives you a comprehensive view of your network resources. The Account Summary tab, gives you a detailed summary of all onboarded accounts, including potential risk indicators based on the activated risk profile. For more details, see Overview page tabs (Released 16-March-2023)
See all rules protecting the Google Cloud Project VPC in one place
Now you can see all the rules protecting the Google Cloud Project VPC in one place in the Network Policies tab. View VPC firewall rules and the inherited rules used by that firewall. Inherited rules are located above the VPC firewall rules and are distinguished by grey rows. For more details see Flattened Hierarchical View of Google Cloud Policies. (Released 1-March-2023)
February 2023 Update
We've revamped the AWS onboarding process. During onboarding, CloudFlow connects with your AWS StackSets and automatically syncs all accounts (Stacks) at once. Any subsequent changes made to StackSets in AWS such as addition or removal of accounts are automatically reflected in CloudFlow. See AWS account management. (Released 14-February-2023)
The new Changes page in CloudFlow gives details on rule changes made on your on-boarded AWS accounts and Azure subscriptions. We will be rolling out this feature to our customers in phases during Q1 and Q2 2023, so if you still don't see it, you will soon! See View changes history. (First released 19-November-2022)
January 2023 Update
In CloudFlow Settings, we've renamed the Accounts page to Onboarding Management and given it a UI facelift. For more details see Onboarding Management. (Released 27-January-2023)
Official support for OKTA for SSO
AlgoSec Algosec SaaS applications now officially support OKTA as an SSO provider. See Manage Single Sign-On (SSO). (Released 27-January-2023)
IaC (Infrastructure-as-Code) Connectivity Risk Analysis
AlgoSec’s IaC Connectivity Risk Analysis solution is an extensible security plug in platform that checks code for potential vulnerabilities before any commits are made to a repository. Using it, you can accelerate application delivery taking a proactive, preventive, and collaborative approach within your CI/CD pipeline. Developers have clear visibility into risks right in the source control applications and are given clear remediation steps without a need to move to different applications or wait for security admin to manually review and approve that the code is risk free. See IaC Connectivity Risk Analysis. (Released 1-January-2023)
November 2022 Update
Important: Make sure you update your Azure permissions.
CloudFlow now shows information about your Azure Firewall (Managed with Policies) and its network, application, and NAT rules. See Filter displayed policy sets . (Released 28-November-2022).
We've added new filters to the Network Policies page. Each vendor has its own unique set of filters which you can use to refine the policy sets displayed. See Vendor-specific filters. (Released 9-November-2022)
October 2022 Update
- Documentation Enhancement: Azure, AWS, Google Cloud Project required permissions
-
Google Cloud Project Inherited Policies Visibility and Risks
Documentation Enhancement: Azure, AWS, Google Cloud Project required permissions
You asked for it, we delivered. We’ve added a list of permissions for Azure, AWS, and Google Cloud Project. Have a look here: Azure, AWS, and Google Cloud Project. (Released 24-October-2022)
Google Cloud Project Inherited Policies Visibility and Risks
Important: Make sure you update your Google Cloud Project permissions.
CloudFlow now displays Google Cloud Project Inherited policies:
-
On the Network Policies page, you can view details such as the folder where the inherited policy is defined, its calculated risks, and which target networks use the inherited policies.
-
On the Risks page, there is a new column indicating the risks found in rules in inherited policies.
(Released 24-October-2022)
August 2022 Update
You can now log in to CloudFlow SSO-enabled tenants with a single click. To set up SSO on a tenant, see Manage Single Sign-On (SSO). (Released 22-August-2022)
The new Protected by column on the ASSETS tab of the Inventory page helps you to understand the protection each of your VMs has and to identify unprotected assets. See Review account status. (Released 10-August-2022)
July 2022 Update
CloudFlow's Network Policies page added a tree structure so you can quickly navigate between cloud vendors and drill down into individual VPCs/VNets. See Manage network policy sets. (Released 18-July-2022)
The new Severity filter allows you to also filter risks by risk severity. (Released 14-July-2022)
We’ve added a new topic explaining how to work with tags in CloudFlow. On the Risks page, filtering based on tags can focus your risk analysis and remediation specifically on the risks identified by the selected tags. A common use case for tags is to identify all assets related to applications. See Work with tags. (Released 6-July-2022)
Minimum permissions for roles that are not Azure-built-in roles
We've added a new section detailing minimum permissions for roles that are not Azure built in roles. See Permissions required for Azure roles. (Released 6-June-2022)
June 2022 Update
When the connection with ASMS is established, CloudFlow by default automatically starts to collect risks from the ASMS Standard Risk Profile. You can also use a custom profile instead of the ASMS Standard Risk Profile. See Calculate risks from ASMS. (Released 6-June-2022)
Cloud secure communication over HTTP tunnel connection from ASMS in A32.10
Starting from the June 6 HF of ASMS A32.10 (build A32.10.380-180), AlgoSec Cloud secure communication takes place over TLS, which by ASMS default is transported over an HTTP tunnel. The traffic that is encapsulated is encrypted with the Public Key certificate mechanism. The HTTP tunnel can run with or without a customer proxy server. See ASMS-AlgoSec SaaS trust and communication. (Released 6-June-2022)
Cross account flow logs for S3 bucket
You now can create cross account flow logs for your S3 (Simple Storage Service) bucket in AWS. See Enable VPC flow logging for S3. (Released 13 June-2022)
May 2022 Update
Cloud secure communication over HTTP tunnel connection from ASMS in A32.20
New to ASMS A32.20, ASMS-AlgoSec Cloud secure communication takes place over TLS, which by ASMS default is transported over an HTTP tunnel. The traffic that is encapsulated is encrypted with the Public Key certificate mechanism. The HTTP tunnel can run with or without a customer proxy server. See ASMS-AlgoSec SaaS trust and communication. (Released 2-May-2022)
April 2022 Update
Custom Roles or System Roles can be assigned to users
Custom roles define accounts as managed, read-only or with no permission for the users to which these roles are assigned. This lets administrators control which accounts users can see or manage. Like system roles, multiple custom roles can be applied to one user. However custom roles and system roles cannot be applied to the same user. See Custom Roles (Released 22-Apr-2022)
March 2022 Update
Risks now shown for Policy Sets
The total number of policy set risks and risks per rule of each severity level are displayed for policy sets listed in the Network Policy tab. (Released 14-Mar-2022)
Google Cloud Project Network Risks Support
Google Cloud Project Risks are now displayed on the CloudFlow Risks page, providing complete visibility and access to risks across all your on-boarded Google Cloud Project accounts. See Work with risks. (Released 7-Mar-2022)
Updated AlgoSec Cloud Services Security Practices
We've added new information. See AlgoSec SaaS Services Security Practices (Released 1-Mar-2022)
February 2022 Update
List of minimum required Azure Permissions
This list of limited permissions will simplify onboarding Azure subscriptions. See Permissions required for Azure roles (Released 17-Feb-2022)
January 2022 Update
Third-party software components
A list of third-party software components used in AlgoSec cloud applications is now available on the portal Documentation Resources page (under AlgoSec Cloud Documentation). (Released 6-Jan-2022)
December 2021 Update
Reset Password from the CloudFlow Access Management UI
A CloudFlow Admin can reset a user's password. See Reset Password. (Released 22-Nov-2021)
All CloudFlow users can create Risks Reports. Risks Report presents a snapshot of risks and risk triggers found at a specific time based on the filters selected by the user requesting the report. See Risks Report and Work with risks. (Released 27-Dec-2021)
October 2021 Update
CloudFlow's October 2021 update provides the following new features:
-
Manage API Access Keys from the CloudFlow Access Management UI
-
Support for running Admin and Risks APIs from the API Documentation
Manage API Access Keys from the CloudFlow Access Management UI
CloudFlowsupports managing access keys for use with AlgoSec APIs. See Manage API Access Keys. (Released 18-Oct-2021)
Support for running Admin and Risks APIs from the API Documentation
To access the CloudFlow APIs, click on this link: api-docs.algosec.com or the link: at the top of the CloudFlow online documentation landing page. (Released 18-Oct-2021)
August 2021 Update
CloudFlow's August 2021 update provides the following new feature:
CloudFlow now supports three built-in user roles. For details, see Access Management. (Released 11-Aug-2021)
For a selected risk, export the details of the associated risk triggers. For details, see Export risk trigger details. (Released 11-Aug-2021)
June 2021 Update
CloudFlow's June 2021 update provides the following new feature and bug fixes:
Initial Support for Google Cloud
CloudFlownow supports Google Cloud in preview mode - Onboarding Google Cloud Projects and Inventory. For details, see Google Cloud project management. (Released 21-Jun-2021)
-
AWS accounts data collection status is displayed as “Failure” when one or more regions in the target account are disabled. CloudFlow now skips disabled regions. (SUP-14932, 9-Jun-2021)
-
The network policies interface may be unusable when the system is onboarded with a large number of cloud accounts. The relevant DB queries have been enhanced and the underlying infrastructure was scaled-up to accommodate for large accounts. (SUP-14896, 31-May-2021)
-
The network policies interface may be unusable when the system is onboarded with a large number of cloud accounts. The relevant DB queries have been enhanced to accommodate for large accounts. (SUP-14519, 1-May-2021)
April 2021 Update
CloudFlow's April 2021 update provides the following improvement:
Multi-factor Authentication (MFA) enforcement option
CloudFlow now provides the option of setting Multi-factor Authentication (MFA) enforcement for secure user login. For details see Log in and other basics and Access Management. (Released 12-Apr-2021)
March 2021 Update
CloudFlow's March 2021 update provides the following improvement:
In addition to the ability to filter risks for cloud types, accounts and regions, you can now focus your risk analysis and remediation on specific categories of risks identified by tags (key/value combinations) applied to the cloud platform assets.
Customers can leverage this capability to focus on analyzing and remediating risks related to specific applications. For example, the tag filter App: eCommerce can be used to review all the risks related to the eCommerce application. See Work with risks (Released 15-Mar-2021)
February 2021 update
CloudFlow's February 2021 update provides the following improvement:
Easily focus on your risks and risk triggers of interest using the Cloud type, Account and Region filters at the top of the Risks page. Each of these optional filters can accommodate multiple values. You can quickly shorten the list of available filter values by typing in the filter field. See Risk filters (Released 9-Feb-2021)
January 2021 update
CloudFlow's January 2021 update provides the following improvement:
The risks page has been redesigned to provide a better and easier user experience. The complete list of risks and all details for the selected risk, including all risk trigger details, are accessible from one page. This avoids generation of multiple tabs and the need for browsing between those tabs. For details see Work with risks (Released 4-Jan-2021)
December 2020 update
CloudFlow's December 2020 update provides the following new features and bug fix:
You are now able to establish trust between CloudFlow and ASMS. This integration allows hybrid functionality such as Check connectivity over the hybrid network. For details about establishing this trust, see ASMS integration to SaaS services. (Released 28-Dec-2020)
Check Connectivity for the Hybrid Network
You are now able to run a connectivity check (traffic simulation query) on an Azure NSG rule to observe how traffic is routed and whether it is allowed across your entire hybrid network (i.e. across NSGs, firewalls routers etc., deployed on cloud and/or on-prem). For details see Check connectivity for the hybrid network (Released 28-Dec-2020)
Data collection failure for Azure subscriptions having a large number of storage accounts. Excessive data collection requests resulted in Azure API rate limiting. Relevant API call has been enhanced to collect the same data in fewer requests. (SUP-12908, 7-December-2020, SUP-13120, 28-December-2020)
Note: Although this seems identical to the release note (regarding SUP-11388 and SUP-12111) below, the customer Azure setup in each case was different and the solutions are different.
November 2020 update
CloudFlow's November 2020 update provides the following new and improved features:
AWS VPC Flow Logs Collection from CloudWatch
CloudFlow is now able to collect AWS VPC Flow Logs from CloudWatch (in addition to the existing ability to do the same from S3 buckets).
This provides better flexibility for customers that wish to enjoy CloudFlow rule cleanup and rule usage capabilities with logs stored on CloudWatch.
For more details, refer to VPC Flow Logs. (Released 16-Nov-2020)
Suppressing risks and risk triggers
Risks and risk triggers can now be suppressed (i.e. acknowledged) to ensure a shorter risks list and avoid reviewing risks and risk triggers you trust and consider as “noise”.
For more details, refer to Suppress/Activate risks and risk triggers. (Released 9-Nov-2020)
New individual admin users can now be added and managed from the CloudFlow interface. For more details, refer to Access Management. (Released 2-Nov-2020)
October 2020 update
CloudFlow's October 2020 update provides the following issue resolution:
Resolved/Optimized:
Data collection failure for Azure subscriptions having a large number of storage accounts. Excessive data collection requests resulted in Azure API rate limiting. The relevant API call has been enhanced to collect the same data in fewer requests. (SUP-12111, 5-Oct-2020)
Note: Although this seems identical to the release note (regarding SUP-11388, 14-Sep-2020) below, the customer Azure setup in each case was different and the solutions are different.
September 2020 updates
CloudFlow's September 2020 update includes several resolved issues:
Resolved:
- Rule usage was not shown for AWS Security Groups policy rules when VPC Flow Logs were sent for both CloudWatch and S3. (CloudWatch is not supported by CloudFlow). Now, the sending of CloudWatch VPC Flow Logs does not negatively affect the CloudFlow rule usage display, which is based on S3 log data. (SUP-11782, 14-Sep-2020)
- For large AWS accounts with a large number of Security Groups, not all the security groups were displayed on the AWS SGs network policies interface. (CS-2980, 14-Sep-2020)
- When using the Azure subscription PowerShell setup script, the "Contributor" role may be assigned to a different subscription from the one the user selected.
Note: The issue originates from a recent change Azure did in the relevant API.(CS-2969, 14-Sep-2020)
Resolved/Optimized:
- Data collection failure for Azure subscriptions having a large number of storage accounts. Excessive data collection requests resulted in Azure API rate limiting. The relevant API call has been enhanced to collect the same data in fewer requests. (SUP-11388, 14-Sep-2020)
July 2020 updates
CloudFlow's July 2020 update provides the following enhancements and bug fix:
- Improved Azure risk triggers/affected assets calculations
- New option facilitates NSG flow logs collection permissions
- Azure Scale Sets support
- Bug fix
Improved Azure risk triggers/affected assets calculations
Azure NSG risk triggers and affected assets calculations have been improved. For details, see Work with risks.
New option facilitates NSG flow logs collection permissions
An option has been added in the Azure subscription PowerShell setup script. The option assigns roles required for NSG flow logs collection.
CloudFlow now collects Azure Virtual Machine Scale Sets configurations.
The VM parts of Scale Set data are
- displayed as VM records in the Inventory section
- taken into consideration in risk calculation, and
- displayed as affected assets in the Risk interface.
The flickering of Inventory Asset and Security Control lists in high-magnitude zoom or on large screens has been eliminated.
June 2020 updates
CloudFlow's June 2020 update provides the following enhancements:
- New login screen
- AWS SG rules cleanup support
- Unused rules on-the-fly analysis time modification
- ICMP support for Azure NSG rules
- Policy rule count
A new login screen has been introduced, allowing the user to submit all the login credentials in one screen.
During first-time login, Admin users can now provide their email. This enables them to reset their password at any time, using the Forgot Password button.
Cloud security groups are constantly adjusted, and can bloat rapidly. This makes cloud security groups difficult to maintain, and increases potential risk.
When viewing AWS SG policy sets, CloudFlow now provides a Cleanup view that enables you to show unused rules only.
For example:
Use this Cleanup view when optimizing your network policies by removing rules that may no longer be required because they are no longer in use.
For more details, see Clean up policies.
Note: To view last used data for AWS SGs, you must have flow logs enabled for each relevant SG. For more details, see Enable VPC flow logging.
Unused rules on-the-fly analysis time modification
In the both the AWS SGs policies page and the Azure NSGs policies page, the analysis time criteria for unused rules can be changed on-the-fly. A rule's last-used column shows the last-used date or "no traffic logged".
Note: This requires flow logging to be enabled for the relevant AWS VPCs and/or the relevant Azure NSGs.
ICMP support for Azure NSG rules
The ICMP protocol is now supported for Azure NSG rules.
As of June 2020 Azure does not enforce ICMP sub-types (even if the user configured a source or destination port along the ICMP protocol.)
Policy rule counts are displayed on policy pages. They indicate the number of rules per policy or group of policies, or the number of rules filtered or searched (i.e. all, unused, and filtered by search criteria).
April 2020 updates
CloudFlow's April 2020 update provides the following enhancements:
Enhanced central policy management
CloudFlow's NETWORK POLICIES area has been redesigned to provide a smoother flow for viewing and editing your network policies.
Main user interface updates include the following:
-
Policy tree and unified policy management
The NETWORK POLICY tree now displays only AWS SG policies, Azure NSG policies, and Azure Firewall (classic). Click an item to view and manage all policy sets for the selected type on a single page.
For example:
On the page for each type, CloudFlow displays both policies with only one security control, such as a single AWS Security Group, and policy sets with multiple, similar, security controls.
-
All security controls are automatically part of a policy set
Each individual security control is now assigned to a default policy set. Search for similar security controls to merge them as needed.
For example:
Note: Since each policy now has a default policy set, you no longer need to create a new policy set from scratch. Instead, merge similar policy sets to create a new, central policy set.
For more details and updated instructions for viewing, editing, merging, and dissolving policy sets, see Manage network policy sets.
Cloud security groups are constantly adjusted, and can bloat rapidly. This makes cloud security groups difficult to maintain, and increases potential risk.
When viewing Azure NSG policy sets, CloudFlow now provides a Cleanup view that enables you to show unused rules only.
For example:
Use this Cleanup view when optimizing your network policies by removing rules that may no longer be required because they are no longer in use.
For more details, see Clean up policies.
Note: To view last used data for Azure NSGs, you must have flow logs enabled for each relevant NSG. For more details, see Enable Azure flow logs.
March 2020 updates
CloudFlow's March 2020 update provides the following updates:
Last used rule data for Azure NSG risks
CloudFlow now enables you to view the last date a specific rule was used on the risk triggers details page, for Azure NSGs. This data is based on your NSG flow logs, and helps you to clean up your NSG network policies by identifying rules that have little or no use.
We recommend removing rules that are not in use to keep your policies clean and simple.
The last used column displays one of the following values:
- A date, which is the last date that a rule was used, or triggered. CloudFlow analyzes rule usage in the last 30 days only
- No traffic logged, if the rule was not used at all during the last 30 days
- Flow logs disabled, if flow logs are not enabled for the relevant NSG
In order to display rule usage data, you must enable flow logging for your NSG. You can do this for each NSG manually in the Azure console, or for multiple NSGs using a script provided by CloudFlow.
CloudFlow will automatically start to collect flow log data for any NSG with flow logging enabled, even if it was added to CloudFlow at an earlier time.
Tip: We recommend that you enable flow logs whenever provisioning a new NSG on your subscription, and even configuring your system to automatically enable flow logs when provisioning a new NSG.
For more details, see Enable Azure flow logs.
Azure NSG risk enhancements
CloudFlow's risk analysis now supports Azure NSG rules with Service tags or Application security groups (ASGs).
For more details, see Work with risks.
Service tag support
In addition to detecting risks for Azure rules with Service tag values, CloudFlow has specific risks for Service tag definitions.
For example, the following image shows a risk that is triggered for any Azure rule or NSG where the destination is selected as the ActiveDirectory service tag, and the destination port is any:
ASG support
CloudFlow detects network risks for rules consisting of Azure ASGs by identifying the ASG network content and calculating risks accordingly.
January 2020 updates
CloudFlow's January 2020 update provides the following updates:
Azure NSG network risks
CloudFlow now supports risks detected in Azure NSGs.
For example, in the CloudFlow RISKS area, view both AWS SG and Azure NSG risks and their full details.
For more details, see Work with risks and Azure subscription management.
Streamlined risk trigger remediation
Risk trigger details pages now also include hyperlinks directly to the relevant policy set for each trigger item.
Click a link in the Evidence column to jump to the relevant policy.
A new tab is opened to display the policy set. There, the relevant rule is highlighted and you can edit the policy to make any changes needed.
For example, modify or remove the offending rule to avoid allowing risky traffic.
For more details, see View risks and risk details and Edit network policy rules.
Earlier updates
Click through the following to read CloudFlow's release notes from earlier releases:
The November 2019 update includes the following features and enhancements:
- View all network policy sets per type
- Edit a policy set name, description, and members, or dissolve a set
- Unassigned security controls
- Export risk triggers to CSV
- Add cloud provider accounts as read-only
- Azure NSG and SG Description fields
View all network policy sets per type
CloudFlow now provides a high-level view of all network policy sets of a specific type, either Azure Firewall (classic), Azure NSGs, or AWS SGs.
In the Network Policies navigation tree, click a parent node to view all sets of the selected type. For example:
The selected type of policy sets is displayed in a grid. For example:
For more details, see Manage network policy sets.
Edit a policy set name, description, and members, or dissolve a set
The Policy Set grid that displays all sets of a specific type enables you to drill down to each set, as well as edit high level details or dissolve a set altogether.
For example:
Note: Dissolving a set only removes that set from CloudFlow, and lists related security controls as unassigned. Policy rules in each member policy are left intact.
For more details, see Edit policy set properties and Unassigned security controls.
If you have accounts managed by CloudFlow with security controls that are not assigned to a CloudFlow policy set, CloudFlow now highlights these controls in the NETWORK POLICIES navigation tree.
Click a set of unassigned firewalls, NSGs, or SGs to display the list and assign items to either a new or an existing policy set.
For example:
For more details, see Manage network policy sets.
Now you can export a list of risk triggers detected by CloudFlow. This enables you to access essential details such as public IP addresses, and enables further analysis and easy sharing.
The downloaded CSV file includes a full list of triggers for the selected risk, all affected assets, and the relevant private and public IP addresses.
In a Risk Triggers page, click Export details to download your CSV file.
For example:
For more details, see Work with risks.
Add cloud provider accounts as read-only
You may want to add cloud accounts or subscriptions to CloudFlow for read-only analysis purposes, without enabling any changes to be made from CloudFlow.
Now you can do this by determining read-only permissions for both AWS and Azure.
Determine read-only or read/write permissions when adding the account to CloudFlow. For more details, the updated procedures in Azure subscription management and AWS account management.
Azure NSG and SG Description fields
In Azure NSG and SG rules, the field that was previously labeled Description has been renamed to CloudFlow Comment.
We renamed this field to clarify that this comment is based in CloudFlow only. Your Azure Description field value remains unchanged, regardless of the updates you make in CloudFlow.
For example:
For more details, see Manage network policy sets and Field reference per rule type.
The October 2019 update includes the addition of the RISKS module to CloudFlow.
Note: The RISKS module is supported in Early Availability mode, and currently includes only network risks triggered by AWS security groups.
Click the RISKS item from the menu on the left to display a list of all the security risks detected in your CloudFlow accounts.
Risks are displayed in a grid that provides an overview of your risk data. Click a specific row to show more details about the selected risk on the right.
For more details, see Work with risks.
September 2019 updates include the following:
- AWS S3 buckets displayed in the inventory
- View asset and security control details
- Azure Firewall (classic) service tag support
- AWS Security Group ICMP support
- Performance enhancements
AWS S3 buckets displayed in the inventory
The CloudFlow dashboard now shows AWS S3 buckets in the AWS > ASSETS area and on the ASSETS tab.
For example:
For more details, see Review account status and AWS account management.
View asset and security control details
Now you can access full details about your assets and security controls from the CloudFlow inventory.
On the INVENTORY page, click the ASSETS or SECURITY CONTROLS tabs to view lists of available items in your inventory.
Click an item to view it's details. For example:
In the Asset or Security Control details dialog, click:
- Expand All or Collapse All to view more or fewer details
- Copy to clipboard to copy the full list of details elsewhere
For more details, see Review account status and AWS account management.
Azure Firewall (classic) service tag support
CloudFlow now enables you to select one or more service tags as the destination in a network rule on Azure Firewall (classic).
For example:
For more details, see Manage network policy sets and Field reference per rule type.
AWS Security Group ICMP support
In AWS SGs policy sets, define rules with specific ICMP types. Depending on the ICMP type you select, you may also be able to select an ICMP sub-type.
For example:
For more details, see Manage network policy sets and Field reference per rule type.
We've enhanced CloudFlow's performance to support thousands of security groups.
Add your account to CloudFlow today! For details, see AWS account management.
August 2019 updates include the following:
FQDN support in Azure Firewall (classic) application rules
CloudFlow now enables you to define FQDN tags or specific target FQDNs in an application rule on Azure Firewall (classic).
For example:
For more details, see Manage network policy sets and Field reference per rule type.
Security groups in AWS SG rules
CloudFlow now enables you to set a security group as the source in a rule on AWS rules.
For example:
For more details, see Manage network policy sets and AWS SGs (Security Groups) controls.
July 2019 updates include the following:
CloudFlow now supports the ability to onboard AWS accounts to your CloudFlow tenant, enabling you to manage your AWS network policies and view inventory from CloudFlow.
For example, the following image shows a rule being edited in a network policy set for AWS SGs:
To add an AWS account to CloudFlow, you'll need to create a new CloudFlow role in AWS.
CloudFlow provides a CloudFormation template to help you create this role, or you can create it manually. For details, see AWS account management
When modifications are made to network policies from CloudFlow, such as adding or updating a rule, CloudFlow now displays the status of those modifications.
For example, any failed updates are indicated above the rule table:
For more details, see Manage network policy sets.
May 2019 updates include:
- Network policy sets for Azure NSGs
- Security controls in your CloudFlow inventory
- Usability updates
- Stability bug fixes
Network policy sets for Azure NSGs
CloudFlow now supports Azure Network Security Groups. This enables you to create network policy sets for Azure NSGs, allowing you to view and manage your Azure NSG policies from a central location. This feature also supports Application Security Group (ASG) configurations.
For more details, see Manage network policy sets.
Security controls in your CloudFlow inventory
The CloudFlow inventory is automatically updated, and represents your cloud security assets. CloudFlow now supports the ability to view the list of security controls associated to the accounts in your inventory.
Use the navigation tree to browse through your CloudFlow inventory and view the security controls in each segment of your cloud estate.
Note: Inventory support for security controls currently includes NSGs and Azure Firewall (classic).
For more details, see Review account statusReview account status.
CloudFlow now continuously monitors your configured cloud assets. This automatically synchronizes your CloudFlow inventory and network policy sets without requiring you to re-add your Azure subscriptions.
Each new version of CloudFlow brings additional usability updates to enhance your CloudFlow experience.
Among other updates, this version of CloudFlow includes breadcrumbs at the top of each page to help you keep context of where you are in CloudFlow.
For example:
This version of CloudFlow includes the following bug fixes:
CS-486: When changes are made to a network policy set and the page refreshes, CloudFlow now retains the context and keeps you in the same place that you were viewing or editing before the refresh.
For more details, see Manage network policy sets.
â See also: